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Abstract Model-based diagnosis is now advanced to the point au- 
tonomous systems face some uncertain and faulty situations with 
success. The next step toward more autonomy is to have the system 
recovering itself after faults occur, a process known as model-based 
reconfiguration. After faults occur, given a prediction of the nominal 
behavior of the system and the result of the diagnosis operation, this 
paper details how to automatically determine the functional deficien- 
cies of the system. These deficiencies are characterized in the case 
of uncertain state estimates. A methodology is then presented to de- 
termine the reconfiguration goals based on the deficiencies. Finally, 
a recovery process interleaves planning and model predictive control 
to restore the functionalities in prioritized order. 

1 Introduction 

Model-based autonomous systems already face faulty situations with 
some success: they detect and diagnose faults by either identifying 
potential candidates for their own physical state [6] or reasoning on 
their structural and behavioral knowledge [5], The next step toward 
more autonomy is to have the system recovering itself after faults oc- 
cur, a process known as model-based reconfiguration 3 (MBReconf). 
Automated reconfiguration comprehends three steps: goal identifica- 
tion, goal selection, recovery. Goal identification searches for a set 
of potential states of the system where the fault effects are inhibited; 
goal selection is the process of deciding the best of these states, de- 
noted goal states; recovery searches for the chain of actions that may 
turn the physical system state into the desired goal states. Recent ar- 
chitecture design for autonomy [11] puts the goal identification and 
selection processes outside the scope of a model-based diagnoses in 
the hands of upper decisional levels. The aim of this paper is to pro- 
duce an automated goal identification/selection/recovery methodol- 
ogy that takes better advantage of the system model. Due to several 
factors, MBReconf is a challenging problem: 

• The state of the system cannot be uniquely determined in all sit- 
uations. Recent model-based monitoring/diagnosis systems tracks 
several potential non-faulty/faulty state estimates simultaneously 
[12, 2]. Moreover, the set of state estimates is the result of a selec- 
tion process as the total number of possible states is too large to 
be explored. The ambiguity is however mitigated by the fact that 
the number of state estimates is typically small. 


^(jNASA Ames Research Center, Moffett Field, California 94035 email: ebe- 
nazer@email.arc.nasa.gov 

2 LAAS-CNRS, 7, av. du Colonel Roche, 31077 Toulouse Cedex 4 email: 
louise@laas.fr 

3 For now, most embedded controllers include pre-compiled recovery policies 
as part of a rule-based system. 


• Faults effects may differ from one state estimate to the other. For 
this reason, pre-compiled policies may fail recovering the system 
by proposing an improper command when the state is uncertain. 

• Nowadays, embedded digitally controlled systems have complex 
behaviors characterized by a preeminence of discrete switches in 
their dynamics. They are modeled as hybrid systems, that exhibit 
both discrete and continuous dynamics. 

Referring to the faulty states as the estimates that result from the 
diagnosis operation, as opposed to the nominally predicted states , 
we propose to compare the faulty states and the predicted states and 
thus determine the functional deficiencies caused by the faults. In 
this context, functional deficiencies are variable instances in one or 
more predicted states and that have been lost in one or more faulty 
states. Our approach aims at minimizing the size of a functionality to 
recover while maximizing its coverage of the estimates. The contri- 
butions of this paper are threefold. First, we show how this strategy 
leads to a finite set of disjoint functional deficiencies, and charac- 
terize them. Second, we propose a methodology to identify poten- 
tial goals from the deficiencies based on a productive analogy with 
model-based diagnosis, reasoning at a single point in time, despite 
the system continuous dynamics. Third, we show how to interleave 
conformant planning and model predictive control to bring the sys- 
tem’s hybrid dynamics from the initial faulty (uncertain) state to the 
potential goal state. 

2 Hybrid Model-Based State Prediction and 
Diagnosis 

In this section we introduce a comprehensive formalization of model, 
state and uncertainty. The autonomous system is considered a model- 
based system, i.e. that has a structural and behavioral knowledge of 
itself. 

Definition 1 (Model-Based System). A model-based system A is 
a tuple (C,A4, T, X, E), where C is a set of modeled components , 
M. a set of finite discrete variables as component behavioral modes , 
T a set of transitions among these modes, X the set of continuous 
variables partitionned in state variables Xx, output (observed) vari- 
ables Xy and input variables ( commands ) Xu . E a set of continuous 
static/differential equations over X . 

In this paper we use a hybrid description of the physical system’s 
state. The hybrid state s is the tuple (M, X). Instances of vari- 
ables v in M U X are noted (v = v j ), or v j for short. The hybrid 
state’s discrete side abstracts the physical system as a set of mode in- 
stances M = f\ k Ck.m tk where Cfc.m tfc is an instance of a variable 
m e M of component Ck € C. The continuous state X is made of 
instances x j of continuous variables of Xx - Instances of observed 
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Figure 1. Pressure expansion system 


variables of Xy are noted y (vector Y), and y (vector Y) denotes the 
measured value. Commands are noted u (vector U). We consider a 
discrete-time model of the form: 

( X(k 4- 1) = f{X(k),U(k)) 

E: { Y(k) = g(X(k),U (k)\ (1) 

[0 < h(X(k),U(k)) 

System A's behavior is described with mles of the form /\ i e* if <0, 
where e* € E and <p is a conjunction of equalities/inequalities over 
functions of variables in M. U X. A set T = {n , • ■ * , r nm } of tran- 
sitions is specified for each mode m. Each transition r is enabled 
according to a guard 0, and may trigger with probability p(r) when- 
ever the guard is satisfied. T(s* , Sj) denotes the set of transitions that 
moves A from s t to Sj. 

Given the ability A has to predict and diagnose its own behav- 
ior, we respectively note V(A) the prediction of the hybrid system’s 
nominal state, and V{A) the diagnosis result after a fault occurs. 
Note that when fault modes are present, the diagnosis may become a 
state identification problem, and V(A), V(A) may result from the 
same engine. Uncertainty on the physical system’s state requires 
to consider V(A) and V(A) as sets of hybrid states. We denote 

S=(V{A),V{A)). 

Example (Pressure expansion system). Figure 1 pictures our case 
study: a two valves system that limits water pressure between flow 
input Qo and flow output Q. An electric switch S powers valve V2 
when pressure Po equals or exceeds threshold P*. V 2 opens when 
powered. S, V\ and V 2 have two nominal operational modes open 
and closed, and two faulty modes stuck_closed, stuck_open. Qo and 
Q are measured. Po > P a tm is the only input to the system. P a tm 
denotes the atmospheric pressure. 

Our scenario assumes faults occur when the prediction of the nom- 


inal state is uncertain 4 , i.e. the uncertainty on the pressure does not 
allow to discriminate between two predicted states 5 : 

{ Qo > 0, Po < P * r Qo > 0, Po > P* 

Vi .m = open I Vi.m = open 

S.m = open and s 2 N : < S.m = closed 

V^.m — closed I V2 .m = open 

Qi > 0, Q 2 = 0, Q > 0 l Qi > 0, Q 2 > 0, Q > 0 

After observing Q 0 > 0 A Q = 0, A returns diagnose, based on the 
knowledge of the nominal states above: 


( Qo > 0, Po < P* ( Qo> 0, Po > P* 

Vi.m = stuck-closed I Vi .m = stuck.closed 

S.m = open , : < S.m — closed 

V 2 .m = closed I V2.n1 = stuck-closed 

Qi = 0, Q 2 = 0, Q = 0 ( Qi = 0, Q 2 = 0, Q = 0 

{ Qo > 0, Po > P* 

Vi.m = stuck.closed 
S.m = stuck.open 
V2 .m = closed 

Qi = 0, Q 2 = 0, Q = 0 

Sp is the faulty state diagnosed from s]v while s 2 F and 5 ^ have been 
deduced from s%. Hybrid states in V{A) — (sj/, s%) and V(A) = 
( 5 ^, si', sj') contain enough information for the autonomous system 
to extract its functional deficiencies. 

3 Functional Deficiencies 

Given a belief on a model-based system A , we extend V(A) 
and 'D(A) by the states probabilities such that V{A) = 
((s^,p(s3v)), * * * , (Sjv,P(Siv))) is the set of the n nominally pre- 
dicted states, and their associated probabilities, and T>{A) = 

((s|,p(s|')), • • , (s f F ,p(s f F ))) the set of / faulty states from di- 
agnosis, and their attached probabilities. Given a variable v, we note 
s(v) its value in state s. Any set of nominal and faulty states in S is 
denoted a reconfiguration set. We want to find a set T of prioritized 
variable instances inMUl that are the functional deficiencies be- 
tween states in V{A) and V(A ), and thus need to be recovered. The 
general idea that is developed in this section has been inspired by the 
model-based reconfiguration of logical functions in [14]. 


3.1 Deficient variable instances 


Given two states ( sn,s f ) respectively from V{A) and V(A), and 
a variable v y we note L(sjv(v), sf(^)) the measure of the common 
ground of v’s value in each state. We say that variable whose in- 
stances in a pair of nominal/faulty states have less common ground 
than observable variables that discriminated among these states, are 
deficient. We write it as follows: 


L(s n (v),s f (v)) < 


TlbviYrnisb) 


( 2 ) 


where nbr(Ymi S b) is the number of misbehaving observed variables. 
A misbehaving y is an observed variable that triggered a fault de- 
tection, thus discriminating sn from s F : y* s value in s F better 
fits y than its value in sn- When relation 2 is satisfied, we say 
L(sn(v), s f (v)) is deficient. The definition of L depends on the 
nature of the variables and the expression of the uncertainty in the 
model. 

In the case variable domains are discrete, as in [16], variable in- 
stances have attached boolean labels. Misbehaving variables are ob- 
servables labeled 1 in sn and 0 in s F . We set up L(sn(v),s f (v)) = 

4 This corresponds to the general case of tracking multiple states simultane- 
ously. 

5 Flows > 0 are abstracted from their real values for an improved readability. 



1- (lab(sN(v)) -lab(s F (v)), where lab returns the label of a given 
instance. This case also applies to the measure of mode deficiencies. 

In case variable instances are numerical intervals, as in [2], a mis- 
behaving observed variable y is such that sn (y) H y = 0. We use 
L($n(v ), sf(v)) = sn(v) n sf(v). 

In case a variable estimate is represented with a Gaussian law, as 
in [7], we say y is misbehaving if p(y \ sf)p(T(sn , sf)) > p(y | 
sn), i-e. if its likelihood is higher in the diagnosed estimate than in 
the nominally predicted one, given the probability of changing mode. 
Here p(T(sn,s f )) = p(s N (<t>i, • • ' ,<M) ELa,- , r P( T *) where 
r is the number of transitions leaving sn and reaching sf- Given 
that sn ~ N{'oin,0n) and sf ~ N (rap, Of), we define L as the 
measure of the common space enclosed by both density functions 
/ n,/f • Given p 1 , p 2 the two intersection points of these curves, and 
considering that Of > On (otherwise, the notations are inversed): 

rp 1 

L(s n (v),sf(v)) = / fN(v)dv+ 

7 — 00 

P 2 r+oo 

fF(v)dv+ / fN(v)dv (3) 

,1 J p 2 

p 1 , p 2 are solutions of / n(v ) = / f(v ). In the general case, at the 
curves intersection points, the Mahalanobis metric (v — m) , 0~ 1 (v — 
m) of both estimates is identical. 

3.2 Functional Deficiencies 

Based on deficient variables, we build the functional deficiencies. 

Definition 2 (Functional deficiency). A functional deficiency F 
for a model-based system A over a set of hybrid states S = 
(V(A),V(A)) is a set of variable instances of M UX that hold in 
some states ofV(A), and that are deficient in some states ofV(A). 
We denote as 5(F) the reconfiguration set associated to F. Consider 
F as a conjunction of n mean value instances as follows: 

F = A ( T2 p(s'n)sn(v 3 )) (4) 

j — 1, ■ ,n i=l, ••• ,p 

then (s l N , s%) € 5(F) iff: L(s 1 n (v),Sf(v)) is deficient for all i, k. 6 

In other words, 5(F) includes all nominal and faulty states whose 
pairs show a deficiency for all the instances of F. F is said to be 
complete w.r.t. a reconfiguration set 5' iff S' = S(F). The complete 
F over S is unique. 

Property 1. If F, F' are complete functional deficiencies , then if 
F' e F, S(F) C S(F'). 

Given two tuples (Fi,5(Fi)) and (F 2j we write: 

(Fi,S(FO) O (F 2i S(F 2 )) = (Fi fl F 2 ,S(Fi) U S(F 2 )) (5) 

(Fi , S(Fi)) U (F 2 , S(F 2 )) = (F 1 U F a , S(Fi) n S(F 2 )) (6) 

We note Fi O F 2 , U F 2 for short. From now on we consider a 
functional deficiency to be complete when not explicitly mentioned 
otherwise. Also, we sometimes write a functional deficiency as the 

6 Discrete variable instances may not accept a mean value, and may form 

distinct functionalities. 


conjunction of its elements. The tuple (F, 5(F)) is denoted a re- 
configuration tuple . Finally, it is possible to prioritize a functional 
deficiency 7 : 

n / 

pr(F) = ££p( S VM4). ( s ^>40 € S(F) (7) 

»=i j=l 

Definition 3 (Core functional deficiency). The core functional de- 
ficiency F c has its elements satisfied in all states ofV(A) and defi- 
cient in all states ofV(A ). The core function is unique for a given 
set S, and its priority is equal to l. 8 

Note that at least all misbehaving variables in states of S(F) do be- 
long to the core deficiency, as does Q = 0 in our example. 

3.3 Minimal functionalities over maximal 
reconfiguration sets 

This section develops a characterization of functional deficiencies 
whose size is minimal, while deficient over the largest number of 
state estimates. The reason is that the autonomous system certainly 
wants to operate minimal changes while covering the maximum 
states. We begin by characterizing a complete functional deficiency 
of minimal size. 

Definition 4 (Minimal functional deficiency). A functional defi- 
ciency F is minimal if it exists no functional deficiency F' such that 
F' C F and S(F') = 5(F). 

We then characterize the maximal reconfiguration set. 

Definition 5 (Maximal reconfiguration set). A functional defi- 
ciency F has a maximal reconfiguration set 5(F) if it exists no other 
functional deficiency F' such that 5(F) C S(F') and F' C F. 

The search for minimal functional deficiencies over maximal recon- 
figuration sets leads to a set of functional deficiencies denoted mini- 
max. A minimax functional deficiency represents the minimum set of 
variable instances that are deficient over the same maximum set of 
pairs of nominal/faulty states . 

Proposition 1. Given two minimax functional deficiencies F and F' 
such that F'nF/0, then 5(F') = 5(F). 

Proof. If F" = F'flF and F" ^ 0, then F" C F and from 
definition 4, applied to F, it comes 5(F) = 5(F"). Similarly, 
S(F") - 5(F'), so 5(F) = S(F'). □ 

According to definition 2, the completeness of two functionalities 
F and F' implies that if 5(F) = 5(F 7 ), then F — F\ The previous 
proposition implicitly focuses the search on distinct minimax junc- 
tions. Thus functional deficiencies may be characterized as disjoint 
sets of variable instances. This result brings flexibility to the recon- 
figuration process under uncertainty, but is mitigated as the disjoint 
functions are not independent from each other w.r.t. to the hybrid dy- 
namics. In other words, they may not be recovered independently. In 
reference to the recovery (planning) operation, these functionalities 
are no serializable goals. 

Proposition 2. The core functional deficiency F c is minimax 

Proof. This is trivial from definitions 4 and 5. F c is also complete 
with 5(F C ) = S. □ 

7 Note that in this expression, there is no notion of fault criticality. Every 
faulty state is assumed to have equal criticality but the probability of the 
state is taken into account. 

8 Given that V{A) and T>(A) have their states probabilities summing to 1. 



3.4 Functional Deficiencies Computation 



Algorithm 1: Computing mini max functional deficiencies 


The computation of the minimax functional deficiencies is per- 
formed with algorithm 1. Its main principle is to progressively reduce 
simple non- minimax deficiencies. The first step updates the deficien- 
cies for each combination of two states of <S using the measure of 
relation 2, and computes the core function. Iterating through this set, 
step 3 prunes out any deficiency of its intersection with F c . Step 4 
prunes out non-disjoints functionalities of their intersection. Step 5 
merges the reconfiguration sets of similar deficiencies. 

A word on complexity: given p nominal and q faulty states, re- 
sulting in / minimax deficiencies, the first step finds pq + 1 com- 
plete deficiencies. Studying the loop that starts at step 2, we con- 
sider an iteration checks all intersections among the Ft currently in 
the agenda. Noting rij the number of checks at iteration j , we have 
rij = A j Ynii 1 ' 1 with ^3 = n , and e 3 is the number of 

functions eliminated (or added, e negative). Noting A = j Sj=i 
where f is the total number of iterations, we write A « y. It appears 
that if T>(A) is computed w.r.t. V{A), then in general / = pq. From 
that it comes f as ]T^ =1 A j. Finally, the total number of computed 
intersections is around rij , with no = pq 4- 1. The algorithm 
is better understood by developing our example. Step 1 gives: 

s l N ,s l F : Fi = (Vi .m = open ) AQi > 0 AQ > 0 

sjv, s 2 f : F 2 = Pq < P* A ( S.m ~ open ) 

A (V 2 .771 = closed ) A Q 1 > 0 A Q > 0 
A (Vi .m = open) 

5 ^, 5 ^ : F 3 = Po < P* A ( S.m ~ open ) 

AQi > 0 A Q > 0 A (Vi .m = open ) 
s 2 n> s x f : F 4 = Po > P* A (S.m = closed ) 

A(Vi.m = open) A (V 2 .m = open) 

AQi >0AQ 2 >0AQ>0 
s 2 n ' F 5 = (Vi .m = open) A (V 2 m = open) 

AQi > 0 A Q 2 > Q AQ > 0 
s 2 N ,s% : Fe = (S.m = dosed) A (Vi.m = open) 

AQi > 0 A Q 2 > 0 AQ > 0 
A(V 2 .m — open) 

s n> 3 n> s f> * F — (Vi .m = open) A Qi > 0 A Q > 0 

We have Fi — F c so Fi can be eliminated. Then reducing other 
functions with F c : 

F 2 = Pq < P * A ( S.m = open) A ( V 2 .m = closed) 

F 3 = P 0 < P* A (S.m = open) 

F 4 = P 0 > P* A (S.m = closed) A (V 2 .m — open) A Q 2 > 0 

F 5 = (Wra, = open) A Q 2 > 0 

Pis = (S.m = closed) A Q 2 > 0 A (V 2 .m = open) 


1. F2 fl F3 = Fo < F* A (5.m — open), F7 + — Fo < 
F* A (S.m — open), S(F 7 ) = (s]v; s|, s^), F 2 = F 2 \ F7 = 
(V 2 .m = closed), 5(F 2 ) = (s]v; s^)- F 7 is added to the agenda. 

2. F 2 n F4 = 0, F 2 n F5 — 0, F 2 OF 6 — 0, and F 2 = V^.rn = 
dosed is minimax. 

3. F 3 n F 4 = 0, F 3 n F 5 = 0, F 3 O Fe = 0, F 3 = F 7 , remove 
F 7 , S(F 3 ) = (sJt; Sp, s 3 f ). F 3 = Po < P* A (S.m = open) is 
minimax. 

4. F 4 n F 5 = Fs, F 4 < — F 4 \ F 5 = F 0 > F* A (S.m = dosed), 
S(F 4 ) = (4; sjr). S(F 5 ) = (4; 4 s f)- 

5. F 4 n F6 = (S.m - dosed), Fs = (S.m = dosed), S(Fs) — 
(stf',Sp,Sp), Fa F 4 \Fs = Fo > P*. S(F 4 ) = (4,; 4-), 
and F 4 is minimax. 

6. Fe n Fs — Fs, Fe + — Fe \ F5 = Fs. Remove Fs, Fs = 

(S.m = closed), 5(F 6 ) = (4;Sf> 4)- F 5 , F 6 are minimax. 
5(F 5 ) = (s?/; s f)* 

Finally, the minimax functions are: 

F c = (Vi .m = open) A Q 1 > 0 A Q > 0 , S(P C ) = ; s]? ,5p, s F ) 

F 2 = (Vi-m = closed ) , S(P 2 ) = (s x N ;s^) 

F 3 = P 0 < P* A ( S.m = open) , S(P 3 ) = (s x N ; Sp,5^) 

P4-P0 > P*,S(P 4 ) = (s 2 n ;s f ) 

Fs = (V 2 .m — open) A Q 2 > 0 , S(F 5 ) = (s^sj-. 3 f) 

F 6 = (S.m = closed) , S(F e ) = (s^; s^) 

At this point, a possible extension to the functional deficiencies is 
to distinguish the continuous reduction of Fu that is its reduction to 
variables in X , from the hybrid deficiency (made of both discrete and 
continuous instances). Intuitively, as the modes are relaxed, there ex- 
ist more states that satisfy the continuous reduction to a deficiency, 
than the hybrid deficiency. For this reason, we say the latter leads 
to reset solutions (as modes deficiencies are explicitly set up to be 
recovered), as opposed to redundancy solutions (modes are unspec- 
ified, several component mode switches may be activated to recover 
the continuous deficiencies). We note F the continuous reduction to 
F. 

4 Reconfiguration of Functional Deficiencies 

This section focuses on reconfiguring a functional deficiency by 
identifying a set of goal states, and planning a recovery to those 
states. Ideally, a goal state specifies a value to all component modes, 
and may be inferred from the functional deficiency. In the case of 
a hybrid uncertain state however, the constraints in the form of con- 
tinuous static/differential equations prevent a unique identification of 
the modes from a given continuous state point. Hence we propose to 
rely on an intrinsic property of hybrid systems, that is that the con- 
ditional statements <j> naturally partition their behavioral space into 
hybrid regions that we refer to as configurations. We refer the reader 
to [2] for a formalization of these regions. 

In the following, we denote as the goal functional deficiency F* 
the functional deficiency to be recovered. Its selection is part of the 
recovery process, and is detailed at the end of the section. For now, 
a simple F* is F c as its priority is maximal, and it covers all state 
estimates. 

Identifying the hybrid regions that enclose the values of F* is suf- 
ficient as to form goals that we refer to as configuration goals (instead 
of goal states). They correspond to reduced sets of both component 
modes and equalities/inequalities over continuous variables. 




Then, we must ensure that the goals are reachable by both the con- 
tinuous and discrete dynamics, respectively equations E and transi- 
tions T. 

4.1 Configurations identification 

We first enhance the model representation, then determine the goal 
configurations through a process similar to the model-based diagno- 
sis consistency approach. Indeed, reconfiguration can be viewed as 
the problem of identifying components whose reconfiguration is suf- 
ficient to restore acceptable behavior, when diagnosis is the problem 
of identifying components whose abnormality is sufficient to explain 
observed malfunctions [4]. 

4. 1.1 Causal- graph of influences 

A first difficulty lies in equations in E that may demand a time- 
analysis for determining continuous variable values that are not set 
in F*. A second problem lies in the non-existence of a bijection 
between modes M and a particular continuous region of the state- 
space, as constrained by E. These problems can be tackled by first 
enhancing the model- based formalism with a causal representation 
of E. 

Definition 6 (Causal-Graph of Influences). The causal-graph of 
influences of a set of equations E is an oriented graph G — (X, I) 
where the variables in X form a set of nodes x % , and I a set of arcs 
among these variables . 

The causal-graph is a representation of relations among variables 
in E that holds at any time step. 

Definition 7 (Causal Influence). A causal influence in I, Iij — 
(xi, Xj , 6, <j>), is a directed arc between two variables x x and x 0 , with 
b the sign of the influence and <fi its activation conditioa 

Influences are drawn from the implicit causality in E. Variables 
that are subject to no influence are referred to as the inputs of G. 
Figure 2 pictures the causal-graph of the pressure expansion system. 
In the following we replace equations in E with G . 

In general some work is required to extract the causality from 
static relations [15]. b — {—1,1} stores the numerical positive or 
equal! negative influence among variables. </>’$ truth value in the hy- 
brid state determines the activation! deactivation of the influence in 
the graph. Unconditioned, the influence is permanently activated. 
The activation conditions represent the causality changes in the dy- 
namics. 

Definition 8 (Configuration). A configuration for G ( and by exten- 
sion A) is of the form /\ { <p x . 

A configuration delimits a region of behavior of A. In our exam- 
ple, Vi .m — open AV 2 .m — open A P 0 > P* A Po > Pi A P 0 > 
P 2 AS. m — closed is a nominal configuration of the system. 

4. 1.2 Building configuration goals from functional 
deficiencies 

We write the MBD theory based on consistency [13] where for the 
reconfiguration purpose, observations are replaced with functional 
deficiencies. A deficiency F* has been characterized w.r.L the state 
uncertainty. We are now searching for the minimal sets of conditions 
that are sufficient to restore F * . 



Figure 2. Pressure expansion system causal-graph 


Definition 9 (Reconfiguration candidate). A reconfiguration can- 
didate for A given F * is defined as a minimal set A = 
{/f\ • * • , l£} Cl of influences such that 

A U F* U U • * • U (8) 

is consistent . 

Definition 10 (Reconfiguration conflict). A reconfiguration conflict 
for A given F* is a set X — {If • • * , /£} of influences such that 

A U F* U <p\ U * • * U <pl (9) 

is not consistent. 

From GuF t we seek for reconfiguration conflicts in G that are 
such that influences in a conflict cannot be activated together given 
F*. For a deficient variable (node) Xj of F*, we call ascending in- 
fluences the influences that belong to the paths from the inputs/other 
deficient variables, to Xj. An ascending influence for x 3 is noted 
X{ — {Ii,<pi}. A conflict for Xj is thus the set X j of its ascend- 
ing influences {Xj A = ,n F * } is the col- 

lection of conflicts over all deficient variables of F*. The minimal 
set of influences A that are candidates to the reconfiguration is ob- 
tained similarly to the diagnoses in the MBD theory by computing 
the hitting sets ( HS) over A [13]. We note A g = (J g , Ai i€ x q <i>i) a 
diagnostic candidate, where T q is a set of influences. Consequently, 
A = {{Ag}q=i,... ,n q }. We note ■ *A — {{“!A g } g =:i,-.. , n<? }* 


1: Apply F* to G. 

2: Apply Sf(F*) to G\ F*. 

3: Get the conflicts A. 

4: Compute A = HS( A). 

5: -»A A F* are goal configurations. 

Algorithm 2: Identifying reconfiguration candidates (Goals) 

Consider our example again. Reconfiguring F* — F c with al- 
gorithm 2 implies <f > i is satisfied (step 1), and based on remaining 
variable instances in states in Sf{F *) the configuration of the sub- 
graph G\F* (G deprived of nodes and axis to nodes in F*) is de- 
termined, in that case -><£ 2 is satisfied (step 2). Tracing the ascending 






influences in G, it comes two sets of conflicts (one per continuous 
variable instance in F*): 

i \Q = {Q <- Ql, Q <- Qi, Q2 o, P 2 - P atm } 
l A Ql = {Ql tl Po.Q, tl p 1 ,p l _ P atm } 

(j > i is satisfied in F c > and influences over Q , Pi and P 2 are activated 
in all configurations, so it simplifies to: 

{ Aq 0} - a={a «’ a ^> 

It comes A = { {-><£ 2 }} and 0 2 A T c thus is a valid goal configura- 
tion (step 5). 

Reconfiguring the continuous reduction F c leads to more oppor- 
tunities: 4>\ is no more satisfied and A q 1 = {-><£ 1 }, thus A = 
^ 2 }} and configuration goals are given by ^A^AF C . 

4.2 Recovery 

The recovery operation aims at bringing the system into the regions 
defined by the configuration goals. In our case, due to the hybrid dy- 
namics, this process implies a chain of transitions exist to the com- 
ponent mode goals, while the continuous dynamics ensure the transi- 
tion guards are successively satisfied. Sets of component transitions 
To,- - ,T P must satisfy 

A U V{A) U To U * • • U T p U F* U (10) 

is consistent, where the current time of the system is set to ko and 
the initial state belongs to V(A). PI = {To, • • ■ , T p } is a plan for 
the recovery. Noting k v the time at which transition T v triggers, the 
continuous dynamics must satisfy 


well within the model-based autonomous system framework, given 
two key elements are already present, the model A, and the state pre- 
dictor (or estimator) V{A). By using control and measurement hori- 
zons of a single time step, a basic formulation of the MPC problem 
at time k is 


U*(k 4- 1) = 

J(X(k),U(k)) = 

F(X,U) = 

X(k+ 1) = 

0 < 


min J(X(k), U (k)) 

rk+l 

/ F(X(t),U(*))dt 

Jk 

(X - XsfQ(X - X s ) 
+(U — U s ) t R(U — U a ) 
f{X{k),U'(k)) 
h(X (k) , U (k)) 


where Q and R denote positive definite symmetric weighting ma- 
trices, and U*(k + 1) is the optimal input used in the prediction at 
k 4 - 1. Considering <f> over X in the form <fi: l(X) > 0, we note 
(j>\ l(X) -f e = 0 its reduction to an equality, where e is a term that 
ensures the threshold is later satisfied. The function is evaluated at k 
with <j>(k): l{X{k)) -j- e, and we note its inverse 4>~ 1 (k). The MPC 
application to the control objective <f>j sets the setting point (X 5 , U 3 ) 
to (^J 1 (k), 0). In our example, 73 ’s guard gives 0" 1 (&) = P* + c'. 

Again, we face the fact that V{A){k) = {s 1 , • * • ,5 4 } likely con- 
tains multiple state estimates. Thus the minimization must apply to 
each F(X z (k),U(k)), returning U*' z (k + 1). We merge the opti- 
mized input candidates according to the states estimated probabili- 
ties: 

U"{k + 1) = ^ p{X i {k))U m ' i {k + 1) (12) 


' X{ko)yj<i>o 
E(X(ko)) U (j>i 
E(X(ki))U<t >2 

< . (ID 

E(X(kp- i))U<f> p 
K E(X(k p ))UF* 

are consistent, where E(X(kj)) refers to the dynamics of relation 
(1), is conditioned by <j> j+ 1 , and X(0) — Y2 $ i F e'D(A) p( 5 f)^f( 0 )* 
We say relations (10) and (11) define a hybrid system planning prob- 
lem. To our knowledge, the planning of hybrid systems has received 
no attention yet. We believe that its development will be made nec- 
essary by several on-line applications. 

Relation (10) defines a probabilistic conformant planning problem 
[8], where a set of transitions must bring the system to a set of pre- 
determined goals, under uncertainty and without observing directly 
the system state. The plan maximizes the probability of the goal con- 
figuration given the initial belief state V(A). In our example, a stuck 
valve cannot be re-opened, so no plan exists for functionalities F c 
and F c . A plan exists to F 5 for some initial states, PI = {r 3 , T 21 }. 
F& has a plan PI = { 7 - 3 }. 

Relation (11) defines a control problem where the continuous dy- 
namics must be forced to successive <f>j through available inputs. A 
model predictive control problem (MPC) solves on-line a finite hori- 
zon open-loop optimal control problem subject to system dynam- 
ics and constraints involving states and controls. Based on measure- 
ments obtained at time k , the future dynamic behavior of the system 
is predicted over a fixed horizon, and the controller determines the in- 
put such that a performance criterion is optimized. This technique fits 


Finally, when <f>j is reached, transition Tj should trigger, and MPC 
then focuses on <f>j+ 1 . The last MPC set-point is F*. 

Solving this control problem however requires more research. 
First, the MPC community itself seeks for better integration of mod- 
em state estimation techniques within the control loop [10]. Second, 
<f>’s inverse is a problem in practice. The control could focus on bring- 
ing the system state back to the geometrical center of the goal config- 
uration region instead. This is yet to be explored. Third, optimality 
and especially, stability problems, if far out of the scope of this pa- 
per, must be tackled in the case of control based on multiple state 
estimates. Modem hybrid state estimators should be coupled with 
powerful techniques such as Quasi-Infinite Horizon NMPC [3]. Note 
that recent developments also pave the way for powerful stability and 
safety /reachability analysis of these controllers [1]. 

4.3 Reaching the goals: safety and convergence 

Considering the context of a faulty system, the reconfiguration pro- 
cess should likely be safe, not making the situation worse. In our 
case, the goal configurations identification may produce multiple 
solutions, while not ensuring that they are reachable. In this sec- 
tion we improve algorithm 2 by reducing the number of goal so- 
lutions that are guaranteed to be reachable under monotonous con- 
tinuous dynamics. To ensure the latter, and given a variable v that 
appears in F * (instance v*) y the sign of (Sn{v) — S F (v)) is stud- 
ied, where ( Sn , S F ) is the reconfiguration set of F*. Here, we use 
v * - € t>(a)P( s f) s f( v )’ Algorithm 2 is modified such that A 

becomes A“, the set of influences to be deactivated , while A + , the 
set of influences to be activated is constructed as follows: 


• Given a path of ascending influences {I*,^ , • • • , Ii n j } from Xi to 

Xj involved in F*,ifo:i(5N(x ; j)-5F(xj)) > 0 , 

then for each Oh that is not satisfied, add h k ,i k+l to A + . 

• Otherwise, if the above criterion is not satisfied, while o k is, then 
add Ii k ,i k+i toA~. 

This corresponds to activating every ascendant path whose combined 
influences have a beneficial effect to the restoration of F*. The ap- 
proach is conservative as the test equality to 0 is not considered. 


1: Apply F* to G. 

2: Apply Sf(F*) to G \ F*. 

3: Get the conflicts A + , A“. 

4; Compute A + - HS{ A + ) and A” = HS{ A"). 

5: Do A = A + 0 ->A~ and eliminate inconsistent configurations. 
6: A A F* are goal configurations. 

Algorithm 3: Identifying reconfiguration candidates (SafeGoals) 

Back to our example, we reconfigure F 5 = Q 2 > 0. Step 3 of 
algorithm 3 gives A q 2 = { Q 2 & Po}, ^q 2 — {Q2 0}, thus 

A* = {{<£2}}, A” = {{"'fa}}* The solution is the same as re- 
turned by algorithm 2 but it is now ensured that opening Vi brings 
the flow back into the right direction. 

The safety may not be ensured when negative and positive effects 
to a variable are activated via the same condition, as over Qi in our 
example. If P a tm was not considered being a constant, a numerical 
analysis would have been required here. 

4 A Prioritized selection of functional deficiencies 

Our general strategy to the reconfiguration of the functional deficien- 
cies explores reset solutions first, then redundancy solutions (contin- 
uous reductions) in prioritized order. In case of plan failure the next 
deficiency is selected (algorithm 4). In our example, s 2 F and s F have 


1 : Compute functional deficiencies with algorithm 1 
2 : Identify goal configurations with algorithm 2 or 3. 

3: Find a plan, in case of failure move to the next deficiency, in 
prioritized order. 

4: Apply MPC using V{A) as the predictor. 

Algorithm 4: Prioritized selection of functional deficiencies 

much lower probability than s l F as they correspond to double faults. 
F c is subject to plan failure. F&: S.m — closed is its own goal con- 
figuration and has a plan T 3 whose guard is Po > P*. MPC generates 
the pressure input P 0 to reach that level. Note that depending on the 
real initial state, the reconfiguration may have no effect. The opera- 
tion does not harm the system though we consider that maintaining a 
nominal level of pressure does not harm even the faulty system, and 
may help discriminate among the estimates. For example, if recon- 
figuring Fq fails, s F , and potentially s F are eliminated. 

5 Summary, Existing works and Perspectives 

We’ve presented a methodology to the automated reconfiguration of 
functional deficiencies. The deficiencies are identified by comparing 
predicted and diagnosed states, and then partitioned and prioritized 
over the state estimates. Goals are further identified from the defi- 
ciencies. Planning and MPC techniques are used in common to move 
the system toward the goals. 


To our knowledge, automated MBReconf has not yet received 
much attention. A pioneer work, [4], explores the analogy between 
the problems of diagnosis and reconfiguration. Goal identification 
and safe planning have been studied in [17] in the case of qualitative 
models. We are not aware of any work about the planning of hybrid 
systems. 

Several improvements are planned. First, it appears that restoring 
a single minimax deficiency does not restore a full nominal state: an 
alternate strategy would be to combine the deficiencies so to restore a 
single nominal state that would be selected to maximize the chances 
of a successful reconfiguration w.r.t. the uncertainty on the faulty es- 
timate. Second, the SafeGoals algorithm should be enhanced to 
tackle more complex dynamics. Third, we would like to explore and 
formalize the planning of hybrid systems. Finally, we consider inte- 
grating of the deficiencies selection within the recovery plan genera- 
tion by using contingency branches [9]. 
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